On 20:58 Mon 03 Oct , Adam Young wrote:
Tomcat has a class called "Realm" which is basically a way of managing the set of authentication mechanisms. PKI seems To use an older approach which bypasses the Realm config in Tomcat. I started looking at what it would take to close the distance between the two. In doing so, I found something interesting in the openjdk code base:
In /usr/lib/jvm/java-1.6.0/jre/lib/security/java.security, there is a section that looks like this: # # List of providers and their preference orders (see above): # security.provider.1=sun.security.provider.Sun security.provider.2=sun.security.rsa.SunRsaSign ... # the NSS security provider was not enabled for this build; it can be enabled # if NSS (libnss3) is available on the machine. The nss.cfg file may need # editing to reflect the location of the NSS installation. #security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
This is added by IcedTea, which can enable NSS support during the build. However, from the commenting, it seems the option has not been turned on in the Fedora packages.
If you check /usr/lib/jvm/java-1.6.0-openjdk/lib/security/nss.cfg points at your NSS install, then uncommenting that line should allow Java to use NSS for cryptography.
So it seems that Sun had, at least in the past, supported NSS as a Sercurity provider. For the member of the Java team not familiar with NSS (I wasn't) It is the Network Security Services and is the basis for, amongst other things, how Mozilla stores passwords and certificates. PKI makes pretty heavy use of NSS, via the Opensource Java bindings in JSS.
This page here has more info:
http://download.oracle.com/javase/1.5.0/docs/guide/security/p11guide.html#In...
It seems like the Oracle JDK has had support in the past for NSS as a JAAS module. To close the acronym loop with Tomcat, Tomcat has a JAAS Realm class. What this says to me is that, at one point, Java developers could have configured Tomcat to use NSS as the authentication mechanism for an application.
AIUI, the JDK implementation just uses NSS to provide cryptography algorithms, not authentication.
This class ships in the file:
/usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/ext/sunpkcs11.jar
And The native library is in
/usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/amd64/libj2pkcs11.so
So it looks like we might have an additional Java implementation of NSS available, one that can potentially provide NSS support for Tomcat and JBoss via JAAS. It looks like all it requires is a change to the configuration file that we ship. I'm not quite sure how we would go about doing this in an automated fashion, short of pulling in libnss3 as part of Open JDK support. I'm guessing that if we enable it and the nss library is missing it errors our in some ugly manner, but I have not tested it.
The Fedora java-1.6.0-openjdk package would need to be altered to pass --enable-nss to configure and to depend on libnss3 (as you say).
I can't remember exactly how it errors out off-hand and I've never had a system without NSS on to see that on! If you have Firefox, you have NSS.
Is anyone familiar with this code?
I am; I added the support in IcedTea and fix some bugs in the NSS code upstream (which took forever; the security-dev OpenJDK people at Oracle are very slow to respond in my experience).
Would it be acceptable to activate this security module by default and to pull in libnss with Java? Is there some automated way to enable this if NSS is installed?
Debian and Ubuntu do enable it, and the option is there as a USE flag in Gentoo. However, an issue did come up regarding it and Firefox:
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=473
which may be a blocker. As I say, the process of enabling it is just a two line change in the java-1.6.0-openjdk spec file.
-- java-devel mailing list java-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/java-devel